GDPR is a set of privacy laws going into effect on May 25th, 2018, that forces businesses to be more transparent about the use of peoples' data, and respectful of peoples' rights to decide what, when, why, and how that data is used. It requires businesses to be transparent with people about what data they capture and store about a person, the granular ways in which they use that data, and how they achieve those purposes. It also grants people about whom the data is collected the right to deny storing or processing their data, as well as to request for a copy of the data, or request that the data be deleted.
GDPR achieves its ends in a few ways. It requires organizations that collect data about citizens of the EU, to be transparent and clear whenever they capture that information - about what data they capture and how they use it. It requires those organizations to obtain explicit consent from people for each use of their data, and to create systems through which a person can withdraw their consent at any time. Organizations can no longer use peoples’ data for purposes that they did not obtain consent for, and can no longer share data with undisclosed third parties. Finally, organizations are required to maintain a minimum standard of security to ensure that the data they store about people, is stored and processed securely at all times, to minimize the risk of it being compromised.
To ensure compliance with these laws, GDPR affords EU regulators with the ability to levy significant fines ($20MM or 4% of annual revenue) against companies that do not abide by GDPRs mandates.
In the short few decades after the internet was commercialized, technology has transformed how we live and work. We search for answers to personal questions online, consume news and media that expose our private political and social affiliations, share personal messages, and shop for things that tell people who we are and what we like - all online, and all tracked by the businesses that help us do these things. In the process, these businesses capture our data, store it, use it, and often trade it in ways we have little consent or control over. As we’ve seen over the past few years, that data has often been lost or misused. The Equifax data breach demonstrated that even the largest companies can lack the basic safeguards necessary to protect even the most sensitive data they store about us, for which we often provided little to no consent to capturing and using in the first place. Meanwhile, social networks and search engines capture inordinate amounts of data about us, and use it to monetize us in ways not fully known to us.
GDPR applies to you if you meet any of the following conditions:
If your business is exclusively local and external to the EU, you probably don’t have to worry about GDPR. A flower shop in rural Ohio that only markets and ships to the local town is unlikely to have to comply, even if someone from the EU stops by your website and ends up in your analytics solution.
But just because your business is small doesn’t mean GDPR doesn’t apply. A small-town SEO company that markets its services online and already has a few clients from a few other countries, even if it doesn’t target customers in the EU specifically, is likely to have to abide by GDPR because it could be envisioned that the SEO company would welcome business from European customers if it emerged.
You can read the exact legal text here
Our practices, policies, and products to fully adhere to GDPR’s mandates. Some of these include:
As our customers, you can trust us to ensure that the software you use to store and communicate with your customers, vendors, and other constituents is GDPR compliant.
However, it is up to you to ensure that your own policies, practices, and procedures comply with GDPR. To get started down that path, you should create a data protection team, familiarize yourself with the GDPR law, and institute the changes necessary for ensuring compliance. We always recommend reading the full GDPR text and articles to familiarize yourself with the legislation, and then review third party for an explanation and checklists for becoming compliant. You can read the full GDPR text here.